Travelers Beware of Sophisticated Booking.com Phishing Attack

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

Cybercriminals have launched a sophisticated phishing attack targeting Booking.com, one of the world’s leading online travel platforms.

This attack, characterized by its complexity and high success rate, has been evolving over the past year, posing significant risks to hotel managers and customers.

This article delves into the intricacies of the attack, highlighting the methods used by cybercriminals and offering guidance on how to protect against such threats.

The Attack’s Two-Phase Strategy

The phishing attack unfolds in two primary phases. First, the attackers compromise the Booking.com accounts of hotel managers. This initial breach allows them to gain access to sensitive information and communication channels.

In the second phase, the attackers exploit the compromised accounts to scam hotel customers through the official Booking.com app, as reported by osintmatter.

Fake Domain

This dual-phase strategy has proven highly effective, making it one of the most profitable scams in the cyber threat landscape.

The attackers begin by registering a deceptive domain, ‘extraknet-booking.com,’ which resembles ‘extranet-booking.com,’ a legitimate subdomain used by Booking.com hotel managers.

The attackers trick hotel managers into entering their login credentials by creating a fake portal that mimics the official Booking.com interface. This allows the cybercriminals to harvest sensitive information, including personal and financial data.

The attackers employ various techniques to lure victims to the fake site, from traditional spoofed emails to advanced SEO poisoning.

By manipulating search engine optimization, they ensure their malicious site ranks highly in search results, attracting unsuspecting users.

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!

Once the attackers access hotel manager accounts, they move on to the second phase: targeting hotel customers.

Using the official Booking.com app, they send fraudulent messages to guests, often under the guise of legitimate communication. This method capitalizes on customer trust in the platform, increasing the likelihood of successful scams.

JavaScript Obfuscation

One of the standout features of the phishing site is its use of JavaScript obfuscation. By encoding strings and using complex scripts, the attackers make it difficult for automated tools and researchers to analyze the code.

Phishing site

 This obfuscation not only conceals malicious activities but also hints at the attackers’ possible geographic origins, as evidenced by the use of Cyrillic script in the code.

STUN Binding Requests

The attackers also utilize Session Traversal Utilities for NAT (STUN) binding requests to facilitate peer-to-peer communication.

This technique, typically used in legitimate applications like VoIP calls, is repurposed by attackers to exfiltrate data and maintain communication with compromised systems. The unusual volume and port usage of these requests suggest malicious intent.

STUN Binding Requests

Dynamic Cloaking

Dynamic cloaking is another advanced tactic used in this attack. The attackers can avoid detection by showing different content to different users or systems.

The phishing site serves either the fake portal, the genuine Booking.com page, or error pages based on specific conditions, such as the user’s IP address or browser settings.

Phishing Portal

A significant discovery during the investigation was using an iFrame linking to numerous phishing pages targeting Booking.com and similar sites.

This iFrame is a central hub that distributes malicious content across multiple sites. It provides attackers with centralized control, a broad reach, and valuable analytics data, allowing them to optimize and refine their attack strategy.

This sophisticated phishing attack on Booking.com highlights the evolving nature of cyber threats and the need for robust cybersecurity measures. Travelers and hotel managers alike must remain vigilant and take proactive steps to protect themselves.

As cybercriminals continue to refine their tactics, staying informed and cautious is crucial to safeguarding personal and financial information.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial